Follow on Google News News By Tag Industry News News By Location Country(s) Industry News
Follow on Google News | Malware-Resilient Strong Authentication and Crypto Software-as-a-Service is Released.Traditional IT security means such as Anti-Virus and others- fail to prevent from malware to infest our computers. While our defences shown to be indequate - novel software methods are announced to prevent from malware to steal valuable data.
By: SentryCom Ltd. 
Please_say_hello According to Reuters, from Sept.8, 2010 : "The Silent Epidemic: Cybercrime Strikes More Than Two-Thirds of Internet Users.New Norton Study of 7,000 Web Users Is First to Gauge Emotional Impact of Cybercrime; Victims Feel Ripped Off ... and Pissed Off.." There is good chance that your computer is infested with malware. In most of the cases the purpose of malware is perpetrate Identity Fraud for financial gain of the fraudsters. Therefore the problem we are facing today is that we cannot trust our computers anymore. The passwords we enter are stolen by key loggers, the transaction data we enter in browser is modified by Trojans, etc. Given the scale of the problem and potential cost, especially in fragile economy, it is highly unlikely that the solution to the problem will be too expensive in terms of up-front, distribution and maintenance costs. Software-as- But can SaaS be malware-resilient ? In other words can we trust this SaaS, if we cannot trust our computer??? If this SaaS is computer client-only software - the answer is no. Malware will find ways to circumvent it- no matter how secure it may look. SaaS must utilize client-server architecture to be trustworthy. We put our trust in server… But , quoting Hanno Langweg and Tommy Kristiansen, " interacting with the local human user is the weak point in client-server communications. While machines can employ crypto-graphical mechanisms to ensure authenticity, integrity, and confidentiality of communication, humans are not capable of this. They rely on their local computer to present data and transmit their input to a server reliably. Today’ A number of applications today are structured after the client-server pattern: internet banking, contract signing, e.g. in e-government, or online voting. Here, the main application is run on highly protected servers. Users connect to the server from their local machine. The machine acts as a smart terminal, collecting user input, transmitting it to the server, receiving server data and displaying server output. The local user initiates and completes transactions with the server application. The user interacts with a local application via the local user interface. Some problems immediately arise: 1. How do user and application know which server they are talking to? 2. How does the server know which application it is talking to? 3. How does the user know which application input is directed to? 4. How does the user know which application produces the output? 5. How does the application know that user received the output? 6. How does the application know where input comes from? The first two problems can be solved by using a cryptographic protocol that offers secure authentication of the communicating parties and integrity of the communication, e.g. SSL. The strength of the cryptographic algorithm relies on access of the adversary to encrypted data and on it being computationally infeasible to decrypt the data or forge a digital signature. The remaining four questions demand a trusted path between the local application and the user. The local user interface is the weak link in the interaction of the user with the server application. An adversary is much more likely to attack here than spending resources on breaking a cryptographic algorithm – breaking cryptography is typically either a formidable mathematical challenge or requires a large amount of computing resources. Attacks on the server are another option. However, a server is usually easier to protect than a large number of clients. " Our approach. Staging defense against all possible threat is much harder, then pinpointing your attack on the weak spots of your adversary. Our approach to finding trusted path does not rely on particular PC architectural strengths or weaknesses but rather on basic limitation on malware. Limitation 1 : Physically speaking to the PC microphone is impossible for any program residing on the same PC. Therefore client authentication software, requiring the user to actually speak to the PC microphone will be able to establish a trusted path to the authentication server. On the other hand malware residing on the same computer will not be able to complete the authentication, even though it collected all necessary digital information, through key-loggers, etc… Fig.1 : Malware un-capable to speak to PC microphone. http://sentry- Limitation 2: Manipulating displayed data by one program is detectable by another program. Protecting integrity of the information displayed to the user from being manipulated by malware is another issue. In the case malware does not care much to attack authentication mechanism , all it cares about is manipulating display. If all processes share the same display, then it is possible to detect the discrepancy between the data presented to the user for his/her confirmation and the data being actually digitally signed. Here again we are taking the physical path – malware can manipulate display, but this manipulation can be detected. Fig.2 Malware is capable to manipulate display, but un-capable to steal transaction. http://sentry- Strong Authentication- Strong authentication may include a combination of something you have (your PC), something you know (your PIN) and something you are (your Biometrics). But malware residing on your PC may key-log your PIN and replay your Biometrics, so that your "trusted" server will not be able to detect the problem. Therefore one needs to design the client in such a way that malware will not be able to bypass its security features. For example it is well known that CAPTCHA is used to distinguish between humans and computer programs. It is also well known that fraudsters use "human service providers" who decode CAPCHA online for few $. Another way to distinguish between malware and humans is SPEECH. Malware will not be able to speak to PC microphone, while humans can do it quite easily, making malware prevention straightforward , provided all the ways to circumvent it are blocked. Malware-resilient Strong Authentication may be 2-factor (PC ID and PIN) and without the need for extra hardware and to take no more then 5 sec of users time. If application needs extra level of security, at the expense of longer session (15 sec) – then Live Voice Biometrics can be added. Use Case : Mission-critical transaction verification. Quote from US White House "National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy", June 25, 2010, "Fraudulent transactions within the banking, retail, and other sectors along with intrusions against the Nation’s critical infrastructure assets that are essential to the functioning of our society and economy (utilities, transportation, financial, etc.) are all too common" The usage of malware resilient strong authentication and transaction content is implemented in Software as a Service Transaction verification solution, as demonstrated below: http://www.sentry- It is clear that user experience do not come at the expense of security. # # # SentryCom is a SaaS provider of user-friendly solutions for ID Fraud prevention, using proprietary and patented Strong Authentication and Crypto technologies,reducing ID Fraud revenue losses and at the same time reducing the cost of ID Fraud prevention. End
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||
Account Phone Number